I’m frightened because our enemies are no longer known to us. They do not exist on a map, they aren’t nations. They are individuals. And look around you – who do you fear? Can you see a face, a uniform, a flag? No, our world is not more transparent now, it’s more opaque! It’s in the shadows – that’s where we must do battle. -M, in Skyfall
Cybersecurity and resilience in healthcare are far more important now than ever. Given the increasing sophistication of cyberattacks, building cyber resilience is a must for organizations and leadership.
According to The Daily Swig, a UK-based publication focused on cybersecurity news and views, cyber security breaches in healthcare are growing at an alarming rate. The typical threats are cyber-attacks on IoT devices in healthcare, insufficient training of staff on cybersecurity issues, and not keeping up with the latest technologies.
The healthcare sector is an easy target for cybercriminals and vulnerable to data hacking and breach of confidentiality.
Rightly, the dark web, cybercrime and insecurity are on us!
Healthcare bleeding data
In its Monthly Breach Report: February 2023 Edition, PKWARE, a US-based global provider of data security solutions, says healthcare organizations the world over have suffered multiple attacks.
A ransomware attack at Saint Gheorghe Recovery Hospital in Romania at the end of 2022 severely affected medical activity. It wreaked havoc on the reporting of any services completed in December, which crippled the ability to pay salaries.
Another ransomware strike at Maternal and Family Health Services, a non-profit based in Pennsylvania (US), exposed critical information such as social security number, payment card data, driver’s license number, names, addresses, etc.
Malware have attacked behavioral and mental health services providers as well. Two of the victims are Lutheran Social Services of Illinois and Mindpath Health. Together, the breaches rendered vulnerable the confidential data of nearly 400,000 individuals.
Healthcare technology has not been spared either. One of the key victims is NextGen Healthcare, a provider of electronic health records.
Cyber resilience and cybersecurity: Related but not same
Cyber resilience is the pre-requisite for cybersecurity. While both may sound same and are related, they are not synonymous. Cybersecurity refers to the steps takes to protect information from digital risks, while cyber resilience refers to pre-empting situations and taking steps in advance for efficient protection.
According to TechTarget, a US-based provider of data-driven services to B2B tech vendors, cyber resilience is all about being proactive. It rests on:
- Anticipating the sources of threats
- Managing effectively when a breach happens
- Having visibility or foreseeing to keep up with future trends
To build cyber resilience, several security concepts are available in the market, such as Secure Access Service Edge (SASE), Least Privilege, Perimeter Security, Cybersecurity Mesh and Zero Trust. Of these, Zero Trust is touted as a key health tech trend to watch for in 2023.
Tata Consultancy Services says that to break the cycle of cyberattacks, organizations need to shed the conventional castle-and-moat security approach. The security-building strategy needs to be relevant, flexible, risk-aware, and resilient.
Zero trust offers all this.
When zero trust in healthcare is good.
Zero trust is a new security architecture. It refers to a framework designed to determine the access rights (for clinicians and hospital staff) to critical applications.
An article in Health Tech, a tech and healthcare-focused publication from CDW Corporation (a US-based provider of infotech solutions to government, education & healthcare companies), shares interesting insights. Citing Forrester Research and several other players in the domain, such as Virgin Pulse, a health and well-being navigation platform based in the US,it lists the key attributes of the zero trust approach and the necessity to adopt it.
The key tenet is that all components or units in healthcare – users, devices, workloads and data – should be untrusted by default. It calls for constant authentication along multiple factors, especially if users are logging in from multiple locations or various IP addresses. It is about deciding which resource should have access to a different application or resource at a given point in time. It also entails verification of the operating systems for mobile devices, browser security and software, such as Java or Chrome.
The US Department of Homeland Security Cybersecurity and Infrastructure Security Agency enumerates5 pillars of the zero trust framework:
- Identity: This refers to defining the attributes for determining which users have access to which resources.
- Device: This covers IoT devices, laptops, mobile phones, and servers that connect to networks
- Network/environment: This covers segmentation and control of networks and management of data flow.
- Application workload: This refers to security and management of application delivery, including the application layer, along with containers.
- Data: This refers to the protection of data on devices, applications and networks.
Advantages of Zero Trust Security Concept
- According to experts cited in the HealthTech article, zero trust is efficient in securing and governing a healthcare environment dotted with a wide variety of users: physicians, nurses, technicians. All of them would require access to applications or consoles, depending on the need.
- There are several levels of access and personas, given the healthcare ecosystem. The data that is generated or recorded is not just vast. It is present across the entire supply chain, from the internal environment to that at the vendor end.
- With the help of zero trust, it is easy to manage the scale and range of access to healthcare-related data across applications, such as maintenance of digital records of health, electronic medical records,or billing. If access is mismanaged or errors creep in, dealing with authentication-related challenges can be a nightmare for physicians.
- The security framework facilitates compliance with Health Insurance Portability and Accountability Act (HIPAA) regulations, as it covers analytics and logging. It becomes easier for healthcare organizations to track the people accessing data and its storage thereafter – whether writing to a file or as read-only.
- As a corollary to the above points, because of the security of data transfer, zero trust also increases the efficiency of insurance authorization and coverage approval.
Tread with caution
Implementation of zero trust warrants caution. According to Mike Gregory, Chief Information Security Officer & Executive Healthcare Strategist @ CDW Healthcare, healthcare organizations should tread carefully in implementing zero trust architecture.
The real challenge is in managing the governance aspect and understanding the workflow, followed by producing codes that are executable and easy for the system to manage.
Implementation, especially in healthcare, is highly complex and sophisticated that only experts in the domain can do. Precision is required right from the planning stage, to evaluation and deployment. Collaboration or partnership with zero-trust assessment experts may then be a better way forward.
A software as a concept to build resilience is no doubt a good idea.
Supplements in healthcare: Other essentials for a cyber-resilient workplace culture
Awareness and vigilance are not a choice: Be aware. Be vigilant. Integrate awareness/vigilance at the workplace.
Pass on the message to your broader management team, the administration managers, and the overall workforce. Connect with them as frequently as you can to ensure all are on the same page. Spread the word—loud and clear.
Hold discussions and meetings, involving experts in the domain, to emphasize on the significance of being aware and vigilant. Some organizations host webinars where white hat hackers take part. Healthcare can do that too. This is highly effective in generating awareness across the organization. They share tips on how to be vigilant at all times, what to look out for, how to pre-empt threats, and the criticality of safety measures, such as password-related rules.
Make sure all attributes of cybersecurity are in place. Build clear policies around IT security and ensure these are implemented effectively. Establish clear protocols on information management, covering critical patient data, with access rights.
Have your IT systems firewalled with the latest and best software. Hire the right talent in IT, people with the desired skills, experience and certifications. If sourcing is an issue, you could hire the services of experts in the domain, like VBeyond Corporation.
We have expertise in staffing and access to a diverse pool of healthcare tech talent. Leveraging our deep industry experience, we offer customized solutions to suit individual requirements.
Ensure policies are updated and circulated across the company from time to time. Making the staff, including nurses, aware should not be confined to onboarding only. You could have yearly assessments of individuals to make sure people are vigilant and know the basics.
Be one step ahead. If you are a health tech provider, while developing IT processes, you could involve white hat hackers. This will help you detect and foresee the vulnerabilities of your hardware and software systems.
Given the vast surface from where attacks could come, it is not possible for any organization to build absolutely fool-proof systems/practices. However, awareness and vigilance go a long way in preventing data thefts and privacy breaches. It will help you in protecting critical resources, and will not hamper your growth and transformation.
Any malware attack also weakens the ability to innovate, which would derail progress and you could lose ground to your competitors.
Stay ahead in the game.
Are you committing that bigger crime than data theft? Absence of coordination and collaboration.
No war is won without effective coordination between all units of the defenses. The same rule applies here.
Take your management team into confidence. Coordinate with the heads of the different departments and administration, not just the head of the IT department. Find out what they think about building resilience. What are the likely risks they foresee in their domains? Which of these are acceptable and which should be prioritized? How do they visualize and categorize data in terms of criticality? From which sources could the threats arise? What’s their opinion on regulations and how to implement these? Which protections should be maximized?
The benefit is twofold. One, involving all the right minds, you build a substantial repository of ideas and approaches to tap into. Second, what the organization functions as a unit and with an approach that is inbuilt, your chances of limiting the damage are high. You emerge more resilient.
To defeat cyber criminals, healthcare organizations need to think one step ahead of them. This means building resilience into the system. Just ensuring security is not enough. This is where zero trust enters the picture.
Zero trust, as a security concept, according to experts, is set to emerge as a key cohesive framework to which organizations will align their functions and infrastructure. It offers several advantages, such as efficiency in securing and governing the healthcare environment, in managing vast sets of data, and in ensuring compliance with regulations.
The potential notwithstanding, a lot rides on the effective implementation of all the components of the zero trust model for effective cyber resilience.
As they say, trust is fragile; handle with care.